Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Massachusetts Privacy Regulations Affect Companies in All 50 States

Massachusetts Privacy Regulations Affect Companies in All 50 States

|Views: 0|Likes:
Published by myownmind
Whether you're a personal wanting for additional or less exposure on-line, or a business person
looking to manage and monitor what is being said on-line, we have all solutions for you. Want to
observe what is being said on-line for you and your family or especially for your kids? Don’t worry,
we cover all of them! Full info about us:
Whether you're a personal wanting for additional or less exposure on-line, or a business person
looking to manage and monitor what is being said on-line, we have all solutions for you. Want to
observe what is being said on-line for you and your family or especially for your kids? Don’t worry,
we cover all of them! Full info about us:

More info:

Categories:Types, Business/Law
Published by: myownmind on Feb 09, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





 Background - State Privacy Regulations State privacy regulations safeguarding personal information (P.I.) have been established by overforty states. One of the most recent states to establish privacy regulations and security breachnotification requirements is Massachusetts. The Massachusetts Privacy Regulations are the mostcomprehensive state regulations, and they are likely to become the model for other states. TheMassachusetts Privacy Regulations require businesses and other holders of personal informationto ensure that consumers' information is kept safe. The Regulations may affect how your businessprotects certain confidential personal information, even if you are not located in Massachusetts. The impetus for the Massachusetts Privacy Regulations included over 450 reported cases ofstolen or lost personal information that affected nearly 700,000 Massachusetts residents during2007-08. Achieving compliance with at least the minimum requirements of the Massachusetts PrivacyRegulations will likely minimize future compliance efforts as states and the federal governmentstrengthen their requirements for protecting personal information. Massachusetts Privacy Regulation 201 CMR 17:00 The Massachusetts Privacy Regulations affect companies in all 50 states. The Regulations applyto all businesses and legal entities that collect or store confidential personal data regardingconsumers and employees residing in Massachusetts. and to consumers with no physicalpresence in Massachusetts. The Massachusetts Privacy Regulations preserve the privacy of consumers and employees byincreasing the level of security on personal data held by businesses and other types oforganizations. The Regulations mandate that personal info, including a combination of a namealong with a Social Security number, bank account number, or credit card number be encryptedwhen stored on portable devices, or transmitted wirelessly or on public networks. Encryption ofpersonal info on portable devices carrying identity data including laptops, PDAs and flash drivesmust also be implemented by Jan. 1, 2010, ensuring increased protection of personal information. The majority of personal info security breaches involve the theft of portable devices. Dataencryption significantly neutralizes consumer risk if information is lost or stolen. The regulationsrequire businesses to encrypt documents containing personal information sent over the Internet orsaved on laptops or flash drives, encrypt wireless transmitted data, and utilize up-to-date firewallprotection that creates an electronic gatekeeper between the data and the outside world and onlypermits authorized users to access or transmit data. The Massachusetts Privacy Regulations require businesses and other organizations to prepareand maintain an up to date Written Information Security Program (WISP) to achieve compliancewith the Regulation and to prepare for compliance audits. Conducting a State Privacy RegulationCompliance Survey is a highly effective way to gather comprehensive information required forcreating a WISP and achieving compliance with privacy regulations. Personal Information PrivacyCompliance Surveys collect information from your company's employees about their handling of
employees' and customers' personal information. State Privacy Regulation Compliance Surveys State Privacy Regulation Surveys assess how companies and other types of organizationscurrently handle employee and consumer personal information as part of their effort to comply withstate privacy regulations. The Massachusetts Privacy Regulations Survey gathers comprehensive information that identifieswhat needs to be done to comply with the Massachusetts Privacy Regulations. The survey collectsa wide range of information from employees located in Massachusetts and across theU.S. Survey reports provide data about the handling of private customer and employeeinformation for the organization overall and for each organizational unit. Complying with the Massachusetts Privacy Regulations and other state privacy regulationsrequires knowing which employees in your organization receive, handle, store (including on-siteand 3rd party off-site storage), transmit and perform other processes with personal data inelectronic and paper formats. Companies are also required to know the sources and where, howand how frequently P.I. is received, handled, stored and transmitted. The Massachusetts PrivacyRegulations also require having control over document/data retention/destruction schedules wherepersonal information is included. You also need to know which automated and manual systemsare used for storing and transmitting personal info. State Privacy Regulation Surveys enable companies and other types of organizations to complywith federal and state privacy laws. The surveys help avoid costs and negative publicityassociated with breaches in personal information privacy due to P.I. theft and carelessnesson the part of employees while handling personal information of customers and employees. Massachusetts Privacy Regulations Compliance Deadlines · The general compliance deadline for 201 CMR 17.00 was extended from January1, 2009 to May 1, 2009. · The deadline for ensuring that third-party service providers are capable ofprotecting personal information and contractually binding them to do so will was extended fromJanuary 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-partyproviders will be further extended to January 1, 2010. · The deadline for ensuring encryption of laptops was extended from January 1,2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices wasextended to January 1, 2010. 201 CMR 17.00 - Answers to Frequently Asked Questions (FAQs) 1. Your information security program must be in writing. Everyone who stores or maintainspersonal information must have a written plan detailing the measures adopted to safeguard suchinformation. 
2. You are responsible for independent contractors working for you.You have the duty totake all reasonable steps (1) to verify that any third-party service provider with access to personalinfo has the capacity to protect personal data as provided for in 201 CMR 17.00; and (2) toensure that third party service providers are applying to personal info protective security measuresat least as stringent as those required to be applied to P.I. under 201 CMR 17.00. 3. You do not have to inventory your paper and electronic records. You do need to identifywhich of your records contain personal data so that you can handle and protect thatinformation in a manner that complies with the regulations. 4. You need to determine if your current computer system complies with the encryptionrequirements. You do need to make sure that the encryption process you are using is transformingthe data so that it cannot be understood without the use of a confidential key or process. 5. Both the statute and the regulations specify that compliance is to be judged taking intoaccount the size and scope of your business, the resources that you have available to you, theamount of data you store, and the need for confidentiality. 6. You will need to do enough training to ensure that employees with access topersonal data know what their obligations are regarding the protection of that information asdefined by the regulations. 7. The Massachusetts regulations require limiting access to personal data only tothose individuals who are reasonably required to have access in order to accomplish a legitimatebusiness purpose, or to comply with other state of federal regulations. You should identify yourbusiness needs, determine what tasks are reasonably necessary to satisfy those business needs,and identify who must have access to carry out those tasks. 8. The correct approach for limiting the amount of personal data collected involvesdetermining your legitimate business needs, identifying the kind of personal informationreasonably needed to perform the tasks required to satisfy those business needs. Collection ofpersonal data needed for compliance with state or federal laws/regulations is permitted. 9. Your need for new computer software or equipment will depend on whether your currentequipment meets the minimum requirements for running the software that will secure anyelectronic records containing personal data.The versions of the security and operatingsystem that you currently have must be supported to receive security updates, and your computerequipment must meet the minimum requirements for running the needed software. If not, you willneed new software, new hardware, or both. 10. The level of monitoring necessary to ensure your information security program isproviding protection from unauthorized access to, or use of personal information, and effectivelylimiting risks will depend largely on the nature of your business, your business practices, and theamount of personal data you are maintaining or storing. It will also depend on the form inwhich the information is kept and stored. Information stored as a paper record will require differentmonitoring techniques from those applicable to electronically stored records. The monitoring thatyou implement must be reasonably likely to reveal unauthorized access or use. 

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->